Define the certificate subject and subject alternative names

1. Sign in to a computer then start an administrative PowerShell session 

2. Modify then run the following commands to set the subject and template of the certificate as well as any optional DNS or IP Address subject alternate name values:  

   $cert_fqdn = <FQDN for the certificate> $cert_sans = @("<certificate SAN #1>","<certificate SAN #2>",...) $cert_ipaddrs = @("<certificate IP address #1>","<certificate IP address #2>",...)

Create the certificate request

1. Run the following commands to create the temporary files for the certificate policy file and certificate request file: 

   $cert_file_inf = New-TemporaryFile $cert_file_req = New-TemporaryFile

2. Run the following commands to create the certificate template file for certreq.exe (aka the certificate .INF file):

   $cert_file_content = @" [Version] Signature=`"`$Windows NT`$`" [NewRequest] Subject=`"CN=$cert_fqdn`" # the following allows the certificate to be exported Exportable=TRUE # the following places the certificate in the computer store MachineKeySet=TRUE KeyLength=2048 [Extensions] 2.5.29.17=`"{text}`" _continue_=`"DNS=$cert_fqdn&`" "@ Set-Content -Path $cert_file_inf -Value $cert_file_content

3. Run the following commands to add any optional DNS subject alternate names to the certificate policy file: 

   ForEach ($san in $cert_sans) {Add-Content -Path $cert_file_inf -Value ("_continue_=`"DNS=$san&`"")}

4. Run the following commands to add any optional IP Address subject alternate names to the certificate policy file: 

   ForEach ($ipaddr in $cert_ipaddrs) {Add-Content -Path $cert_file_inf -Value ("_continue_=`"IPAddress=$ipaddr&`"")}

5. Run the following commands to review the certificate policy file: 

   Get-Content $cert_file_inf

6. Run the following commands to create the certificate request file:

   certreq -new -f $cert_file_inf $cert_file_req

7. Run the following commands to review the certificate request: 

   Get-Content $cert_file_req

8. Run the following commands to retrieve the certificate request file name: 

   Get-Item $cert_file_req

Submit the certificate request to a certificate authority

• To submit the certificate request to the preferred InCommon certificate authority, review and complete the SSL Request form in ServiceNow 

• To submit the certificate request to the internal Austin certificate authority, complete the instructions on the following page: Austin Certificates - How-To - Submit custom certificates requests

References

• Certreq - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certreq_1